I'm sick of seeing spam on Facebook and voicemail of friends with virus-laden computers. Why, just the other day they somehow convinced 20 people I friended to use bookmarklets to infest themselves, and bookmarklets are the most confuzzling thing ever.

The security experts say that phishing et al. can only be stopped by common sense, but since I don't have any I don't really trust common sense. What's a more reliable (software, hardware, service) method?

3 Answers
3

Do you want to protect yourself, or your friends? I've found that no matter what you do, some people just can't figure out that they shouldn't blindly type their passwords in anywhere or click on any link they're sent. Here's a few tips though:

Use a browser which checks pages against a known phishing database. Chrome and Firefox use Google's SafeBrowsing database, and Internet Explorer 8+ uses Microsoft's SafeScreen. If a site is known to be compromised, the browser will warn you not to visit it.

Use a browser which is sandboxed to prevent infection from spreading. This won't usually help against phishing attacks, but can lessen the chances of malware. Chrome and IE9 on Windows Vista and later are sandboxed, and only Chrome sandboxes plugins like Flash and Adobe Reader, too.

Always check the title bar to see if you are on a secure site (starting with https://) whenever you enter a password. If you get in the habit of always checking, you can lessen the chances of entering your credentials on a phishing site.

Take this Phishing IQ test to see what sorts of attacks are common and educate yourself. Experience is the second best alternative to common sense: the more you're exposed to something, the more likely you are to recognize it.

Make sure your browser's security features are turned on, so that it asks you before installing add-ons and such.

Ultimately, there is no alternative to common sense. You need to be aware whenever you are online of what you are clicking on, and who you are giving information to. Here's some things which are common sense, but are good to be reminded of. Put them on a sticky note by your computer if you need help remembering:

Never tell anyone your password in an email, over the phone, or in any way other than typing it into a secure login form.

Never enter your credit card info on any website which is not at a secure address (https://).

Do not click on links which seem "too good to be true". They probably are.

Do not install things which are not from a trustworthy source. Do you know the person who made it? Do you know they're reputable?

Do not reply to unsolicited emails asking for personal information. No reputable business will ever do this.

If you rarely get correspondence from somebody and they unexpectedly send you an email, facebook post, or other message with links to another site, their account has probably been compromised. Don't click on the link.

after you have virtualized Firefox you should start using Lastpass to manage your passwords and install NoScript and AdBlock add-ons. Disable notifications for NoScript and enable scripting on trusted sites only.

Virtualizing your Browser will stop malware from infecting your system but it still will be able to run inside the sandbox so you should reset the sandbox if you think you are infected from a website. The Dell Secure Browser is pretty easy to reset.

LastPass will fill passwords for you on the site that you save them for so you don't have to worry about keyloggers and there is less worry of giving your information to malicious people. They would have to poison your DNS to make LastPass see the correct URL.

AdBlock will stop most advertisements which slow down the loading of websites and can carry malware.

NoScript can be very hard to get use to because almost all websites are broken until you enable scripting for them but it is a huge safeguard. You should try to use it and when visiting a website click the S symbol in the bottom right and allow scripts for the website you visiting if you need to. You may need to enable more than one URL e.g. YouTube you need to enable youtube.com and ytimg.com so that you can view videos.

The problem with anything other than common sense is that, well, it needs to keep up with new threats.

For example, no software solution would fix some of the more worm-like applications in facebook - skeptical computing might. You could also blacklist all JS scripts - with something like noscript that arn't explicitly allowed - but in a JS heavy internet, that's a pain.

On the other hand, not actually TRUSTING just about anything you see online - or 'common sense' (or as i call it skeptical computing) should protect you from just about anything.